Understand security threats and countermeasures for Office 2013

Summary: Explains how Office 2013 security features can mitigate risks and threats to your organization’s Office assets, documents, and processes.

Audience: IT Professionals

A secure desktop configuration is an important part of any organization's defense-in-depth strategy. This article begins with a short overview of the various general security risks and vulnerabilities to your organization’s business documents and assets, and then outlines the security features that are available in Office 2010 and Office 2013 and that can help mitigate these threats. Be sure to review these settings to determine which default and optional Office security features your organization should use.

This article is part of the Guide to Office 2013 security. Use the roadmap as a starting point for articles, downloads, posters, and videos that help you assess Office 2013 security.

Are you looking for security information about individual Office 2013 applications? You can find this information by searching for “2013 security” on Office.com.

Most IT professionals and IT security specialists categorize information security risks into three broad categories:

Confidentiality risks These risks represent threats to an organization’s intellectual property. They come from unauthorized users and from malicious code that can attempt to access what is said, written, and created in an organization.

Integrity risks These risks represent threats to your business resources. They come from unauthorized users and from malicious code that can attempt to corrupt the business data that your organization relies on. Integrity risks jeopardize any business asset that contains critical information for an organization, such as database servers, data files, and email servers.

Availability risks These risks represent threats to business processes. They come from unauthorized users and from malicious code that can attempt to disrupt the way that you do business and the way users complete their work. Business intelligence processes, application features and capabilities, and document workflow processes can all be threatened by availability risks.

To help make sure that your organization is protected from all three of these risk categories, we recommend a defense-in-depth security strategy. This strategy should include multiple overlapping layers of defense against unauthorized users and malicious code. Layers typically include the following:

By default, the Office 2013 security model helps an organization mitigate all three kinds of risk. But, every organization has different infrastructure capabilities, different productivity demands, and different desktop security requirements. To determine exactly how your organization can mitigate these business risks, you have to evaluate the threats and vulnerabilities that exploit these risks.

The security model for Office 2013, as with Office 2010, helps you mitigate five kinds of productivity software security threats. Each of these threat types include vulnerabilities that can be exploited by various security attacks. The following illustration shows the security threats and examples of the most common threat agents.

Most organizations face some potential risk from these security threats. But, most organizations also deal with unique combinations of vulnerabilities and potential security attacks or exploits. Therefore, it is important to understand the risks and map a mitigation plan that fits your organization.

Office 2013 provides many countermeasures that help mitigate threats to your business assets and business processes. A countermeasure is a security feature or a security control that mitigates one or more security threats. You can usually change the behavior of countermeasures by configuring settings in the Office Customization Tool (OCT) or through Group Policy by using the Office 2013 Administrative Templates.

Many of the countermeasures in Office 2013 mitigate a specific kind of threat in one particular application. For example, InfoPath 2013 includes a countermeasure that warns users about the possible presence of web beacons in forms. You can change the behavior of this countermeasure by configuring the Beaconing UI for forms opened in InfoPath setting in the OCT or through Group Policy.

Other countermeasures mitigate broader kinds of threats that are common to several applications. For example, the Protected View feature enables users to view the content of untrusted documents, presentations, and workbooks without enabling unsafe content or malicious code to harm the computer. This countermeasure is used by Excel 2013, PowerPoint 2013, Word 2013, and Outlook 2013 when you preview attachments for Excel 2013, PowerPoint 2013, Visio 2013, and Word 2013. You can change its behavior by configuring several settings in the OCT or through Group Policy. For details, see the Plan Protected View settings for Office 2013 article.

The following sections describe the most frequently used countermeasures in Office 2013.

You can use ActiveX control settings to disable ActiveX controls and change the way ActiveX controls are loaded into Office 2013 applications. By default, trusted ActiveX controls are loaded in safe mode with persistent values and users aren’t notified that the ActiveX controls are loaded. Untrusted ActiveX controls load differently, depending on how the ActiveX control is marked and whether a VBA project exists in the file together with the ActiveX control. The default behavior of untrusted ActiveX controls is as follows:

If an ActiveX control is marked Safe for Initialization (SFI) and it is contained in a document that does not contain a VBA project, the ActiveX control is loaded in safe mode with persistent values. The Message Bar does not appear and users aren’t notified about the presence of the ActiveX control. All ActiveX controls in the document must be marked SFI for this behavior to occur.

If an ActiveX control is marked Unsafe for Initialization (UFI) and it is contained in a document that does not contain a VBA project, users are notified in the Message Bar that ActiveX controls are disabled. But, users can select the Message Bar to enable ActiveX controls. If a user enables ActiveX controls, all ActiveX controls (those marked UFI and SFI) are loaded in safe mode with persistent values.

If an ActiveX control marked UFI or SFI is contained in a document that also contains a VBA project, users are notified in the Message Bar that ActiveX controls are disabled. But, users can select the Message Bar to enable ActiveX controls. If a user enables ActiveX controls, all ActiveX controls (those marked SFI and UFI) are loaded in safe mode with persistent values.

Important:

If a kill bit is set in the registry for an ActiveX control, the control isn’t loaded and can’t be loaded in any circumstance. The Message Bar does not appear and users aren’t notified about the presence of the ActiveX control. If you want to learn much more about the broader subject of kill bits, see the three-part TechNet blog The Kill-Bit FAQ.

You can use add-in settings to disable add-ins, require add-ins be signed by a trusted publisher, and disable notifications for add-ins. By default, installed and registered add-ins can run without requiring user intervention or warning. To change this default behavior, see Plan security settings for add-ins for Office 2013.

Use Group Policy or the Trust Center to restrict or deny access for users in your organization to the apps from the Office Store or your corporate catalog of apps for Office. These apps for Office are web extensions that extend Office client applications to enhance Office content and provide new interactive content types and functionality.

Security precautions, such as password protection for a document or spreadsheet, work well, until the owner forgets the password or leaves the company. Now the IT admin, can set up an organization’s client computers to include certificate metadata in these Office password-protected documents. Later, if the password is lost or forgotten, you can use the DocRecrypt tool to either remove or change the password on the document. See the article Remove or reset file passwords in Office 2013 for detailed information.

You can use the digital signature settings in the OCT to configure the XML Advanced Electronic Signature (XAdES) level of the signature. By default, Office 2013 creates an XAdES-Explicit Policy Electronic Signature (EPES) signature. An IT admin can also restrict signing certificates by the issuer name. IT admins can also configure which hashing algorithms and public key sizes are allowed in valid digital signatures. Configure these settings in the OCT tool. See the article Plan digital signature settings for Office 2013 for detailed information.

You can use external content settings to change the way Office 2013 applications access external content. External content is any kind of content that is accessed remotely, such as data connections and workbook links, hyperlinks to web sites and documents, and links to images and media. By default, when a user opens a file that contains links to external content, the Message Bar notifies the user that the links are disabled. Users can enable the links by clicking or tapping the Message Bar. We recommend that you not change these default settings. For more information about blocking or unblocking external content in Office documents, see Block or unblock external content in Office documents.

You can use File Block settings to prevent specific file types from being opened or saved. You can also use these settings to prevent certain file types from opening in Protected View or force certain file types to open in Protected View. By default, Excel 2013, PowerPoint 2013, and Word 2013 force several kinds of files to open only in Protected View. Users can’t open these file types for editing. For details, see Plan file block settings for Office 2013.

You can use Office File Validation settings to disable the Office File Validation feature and change how the Office File Validation feature handles files that don’t pass validation. You can also use these settings to prevent the Office File Validation feature from prompting users to send validation information to Microsoft. By default, the Office File Validation feature is enabled. Files that don’t pass validation are opened in Protected View and users can edit files after they are opened in Protected View. For more information about Office File Validation settings, see Plan Office File Validation settings for Office 2013.

You can use password complexity settings to enforce password length and complexity for passwords that are used with the Encrypt with Password feature. Password complexity settings let you enforce password length and complexity at the domain level if the organization has established password complexity rules through domain-based Group Policy. Or, you can do this at a local level if the organization has not implemented domain-based password complexity Group Policy. By default, Office 2013 applications don’t check password length or complexity when a user encrypts a file by using the Encrypt with Password feature. See the article Plan password complexity settings for Office 2013 for detailed information.

You can use privacy options to prevent the Welcome to Microsoft Office 2013 dialog box from appearing the first time that a user starts Office 2013. This dialog box lets users enroll in various Internet-based services that help protect and improve Office 2013 applications. You can also use privacy options to enable the Internet-based services that appear in the Welcome to Microsoft Office 2013 dialog box. By default, the Welcome to Microsoft Office 2013 dialog box appears when a user starts Office 2013 for the first time, and users can enable the recommended Internet-based services, enable a subset of these services, or make no configuration changes. If a user makes no configuration changes, the following default settings take effect:

Office 2013 applications do not download small programs that help diagnose problems and error message information isn’t sent to Microsoft.

You can use Protected View settings to prevent files from opening in Protected View and force files to open in Protected View. You can also specify whether you want scripts and programs that run in Session 0 to open in Protected View. By default, Protected View is enabled and all untrusted files open in Protected View. Scripts and programs that run in Session 0 don’t open in Protected View.

Also, improvements to Protected View include a new “sandbox” technology when Office 2013 is used with Windows 8 as the operating system. As part of these improvements, Protected View now works in RunAs or remoteApp scenarios in Windows 8.

You can use Trusted Documents settings to disable the Trusted Documents feature and prevent users from trusting documents that are stored on network shares. Trusted documents bypass most security checks when they are opened and all active content is enabled. Note that antivirus checking and ActiveX kill-bit checking are the two checks that can’t be bypassed. By default, the Trusted Documents feature is enabled, which means users can designate safe files as trusted documents. In addition, users can designate files on network shares as trusted documents. We recommend that you not change these default settings.

You can use Trusted Locations settings to designate safe locations for files. Files that are stored in trusted locations bypass most security checks when they are opened and all content in the file is enabled (antivirus checking and ActiveX kill bit checking are the two checks that can’t be bypassed). By default, several locations are designated as trusted locations. Also, trusted locations that are on a network, such as shared folders, are disabled. To change this default behavior, and discover which locations are designated as trusted locations by default, see Plan and configure Trusted Locations settings for Office 2013.

You can use Trusted Publishers settings to designate certain kinds of active content as being safe, such as ActiveX controls, add-ins, and VBA macros. When a publisher signs active content with a digital certificate, and you add the publisher’s digital certificate to the Trusted Publishers list, the active content is considered trusted. By default, there are no publishers on the Trusted Publishers list. You must add publishers to the Trusted Publishers list to implement this security feature. To implement the Trusted Publishers feature, see Plan and configure Trusted Publishers settings for Office 2013.

You can use VBA macro settings to change the way VBA macros behave, disable VBA, and change the way VBA macros behave in applications that are started programmatically. By default, VBA is enabled and trusted VBA macros can run without notification. Trusted VBA macros include VBA macros that are signed by a trusted publisher, stored in a trusted document, or stored in a document that is in a trusted location. Untrusted VBA macros are disabled, but a notification in the Message Bar lets users enable untrusted VBA macros. In addition, VBA macros can run in applications that are started programmatically.